Cisco Support Community
Community Member

how to restrict unauthorized user to access network

If all of PCs used fixed IP address, and I have the MAC-IP mapping table for all of the PCs, How can I restrict unauthorized PCs ( these PCs not in my MAP-IP mapping table ) to access network ? We don't want to use layer 2 switch port security function. The following is my solution :

I try to setup static ARP entries for all of these PCs, I also setup static ARP entries for un-used IP addresses ( IP addresses not used by these PCs ) but the MAC address for un-used IP addresses are not real. The reason is for limit someone try to connect unauthorized PC, setup a temp IP address to access to network.

But this solution have some limitation, we have up to 3000 PCs, my Layer 3 switch ( Catalyst 6509 ) can not setup so many static ARP entries.

Is there any good idea for my question? ( all of my edge switch is Catalyst 3524 )

Best Regards,


Re: how to restrict unauthorized user to access network

A good idea is port security. ;-) It's 1,000 times easier than what you're proposing.

Even better is VMPS (which is basically dynamic port security in your case) if your 6509 is running CatOS (IOS switches can't act as a VMPS Server). Though I also don't know offhand if 3524's support the VMPS Client feature.

CreatePlease to create content